Saturday, December 3, 2011

XSS vulnerability in Babylon search


Recently I installed a software which changed my default search of firefox to Babylon search. It is a popular search engine and ranks high in alexa. The search engine can be reached at http://search.babylon.com/home

The search engine is vulnerable to a perticular type of XSS attack. Since no one has ever reported about a vulnerability in this search engine so I can take the credit ( cool man! ) .

The search engine can be XSSed by first adding a normal string at the beginning and then add the script. Since the search engine has implemented XSS filtering so it can be bypassed by crafting a different vector.



Notice the search term that I have used here. On executing the script, an alert box will be displayed notifying the successful execution of script.
Here is the complete vulnerable url :

http://search.babylon.com/?q=helloworld%3Cscript%3Ealert%28%27hackingalert%27%29%3B%3C%2Fscript%3Ehelloworld&babsrc=home&s=web&as=0&t=0



11 comments:

  1. wow.......great bro...i was also hit by this adware which changed by browsers home page althogh i tired to change the homepage after restarting the browser the hell repeats....even it happens wen i reinstaled it. but now some how i managed it.

    ReplyDelete
  2. @sai charan : yea..they are a headache..

    ReplyDelete
  3. When I find a XSS vulnerabillity, what can I do with it? I stumbled over one the other day whilst looking for SQL vulnerabillities :D

    Do you have any tutorials on different things one can do?

    ReplyDelete
  4. xss is a limited vulnerability...persistant xss hav some benifits .. non persistant xss require a social attack vector framing...will post a tutorial on it..

    ReplyDelete
  5. Cool. Thank you. Im looking forward to it.

    ReplyDelete
  6. .you must got a real facebook hacker hear

    http://hackxfbx.blogspot.in/

    OR

    do u wand a real facebook hacker pls click hear

    hack your friend fb account software free download

    ReplyDelete
  7. .you must got a real facebook hacker hear

    http://hackxfbx.blogspot.in/

    OR

    do u wand a real facebook hacker pls click hear

    hack your friend fb account software free download

    ReplyDelete